X
Business

Mac worm rumors swirl; Dai Zovi ships unofficial Mac OS X patch

Amidst unconfirmed rumors that anonymous hackers have created a worm that exploits an unpatched code execution flaw in Mac OS X (Intel), a team of researchers have come up with a way to completely disable a buggy portion of the Mac code base.
Written by Ryan Naraine, Contributor

Amidst unconfirmed rumors that anonymous hackers have created a worm that exploits an unpatched code execution flaw in Mac OS X (Intel), a team of researchers have come up with a way to completely disable a buggy portion of the Mac code base.

dinodaizovilaptop.jpg
Led by Mac security guru Dino Dai Zovi (of CanSecWest MacBook hijack fame), the researchers have created a third-party patch that removes the uPNP code from within mDNSResponder, the Bonjour system service that implements Multicast DNS Service Discovery for discovery of services on the local network.

Davi Zovi worked with his former employers at Matasano Security on the patch after looking at the worm claim and the recent mDNSResponder patch (and Bonjour exploit) affecting that portion of the Mac OS X code.

[ SEE: Ten questions for MacBook hacker Dina Dai Zovi ]

"If I were to guess about the vulnerability linked to the worm claim, I'd say it's in uPNP. I won't be surprised if there are others looking hard at that piece of code to find holes," Dai Zovi said in a telephone interview.

The patch, which is buyer-beware (and unsupported), does not fix a specific vulnerability. Instead, it removes the LegacyNATTraversal code from mDNSResponder. Hackers consider mDNSResponder the primary client -> server attack surface on Mac OS X.

Matasano president Dave Goldsmith, a former @Stake researcher who has found/reported numerous Mac OS X vulnerabilities over the years, said that portion of the code contains lots of unbounded memory copies and a history of overflows and memory smashing bugs.

"This patch will hopefully prevent a certain code path from getting executed. No one knows for sure if there's a vulnerability there but we think this (patch) could potentially stop some bad code from getting called," Goldsmith said by telephone.

"The LegacyNATTraversal code is 1994-style C code," Goldsmith said. "[There are known bad programming practices lurking in that particular file."

On Matasano's blog, Goldsmith warns that the patch is buyer-beware.

Standard disclaimers about this patch apply (including: may do nothing, may protection you form current/future vulns, may cause mDNSresponder to not work, may break support contracts). Also, this patch is unsupported, which is why I didn’t give step by step instructions on how to apply it.

In any event, Dai Zovi said the patch isn't for non-technical Mac users. "There's an opportunity for someone to make it more user-friendly but, right now, it's not something the average user can use," he said.

His advice to Apple: Rewrite the entire uPNP code base.

"It's a feature that's there for a reason but that entire bit of code needs to be rewritten. There are too many (potential) dangers there," he added.

Editorial standards